India’s $41 billion dollar outsourcing industry and its clients can breathe a sigh of relief; the Indian Government has issued an official clarification concerning their new broad privacy regulations.
As noted in an earlier blog, in April 2011, India adopted new privacy rules under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These rules are applicable to all organizations that collect and use sensitive personal data and information in India. These rules seemed to have a broad impact on India’s outsourcing industry.
The rules appeared to construct limitations on India’s outsourcers in both acquiring and transferring sensitive personal data. On the one hand, companies or their intermediaries appeared to be required to receive written consent from the information provider by letter, fax, or email, regarding the purpose of the use of the data under Rule 5(1) of the Privacy Rules.
Similarly, Rule 6 requires organizations to obtain prior consent of the information provider before transferring sensitive personal data to third parties unless disclosure has already been agreed to by contract or required by law. Further, no organization inside India would be able to transfer sensitive personal data to a third party outside of India unless the transferee ensures the same level of protection as required under the Indian Rules. Sensitive personal data is defined as financial information; passwords; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information.
This combination of likely restrictions proved relatively drastic and potentially burdensome to India’s outsourcing industry. The flow of data between the United States and India has long been unrestricted and largely unregulated. The new Indian Rules appeared more stringent than the existing privacy laws of the United States. To this extent, American companies doing business with India apparently needed to update their privacy practices in order to comply with the new privacy regulations.
At the same time, the rules were impractical. For instance, a requirement of written consent from every foreign citizen whose sensitive personal data moved through India’s enormous collection of call centers and other outsourcing operations would be cumbersome for Indian outsourcers to implement.
In response to industry concerns, the Indian Government has since clarified their recently adopted privacy regulations. India issued an official clarification recently, noting that sensitive personal data sent to India by customers outsourcing information technology work will not be covered by Rules 5 and 6 of the Privacy Rules. Rather, the new privacy rules only apply to Indian companies that collect information from “natural persons.” It is the companies collecting and sending the data, as opposed to the outsourcers, who are responsible for protecting the privacy of the data according to the rules of their respective countries. Therefore, United States companies sending data for processing to Indian outsourcers will be required to follow the privacy laws of the United States, not India.
However, this clarification might not be the last, as some believe Indian outsourcers have received preferential treatment under the Indian Government’s recent explanation. Further, such treatment allegedly violates the spirit of the Information Technology Act, the Act under which the Privacy Rules have been promulgated. Notably, Section 1(2) of the Act states that it applies to “the whole of India and…to any offence or contravention thereunder committed outside India.” For these reasons, the clarification restricting the application of the Privacy Rules to companies or persons located within India could eventually be struck down in court. We will follow the developments in India.